1406733 - Crash in PLDHashTable::Add | DispatchToTracer<T>

Status: RESOLVED DUPLICATE of bug 1296631

(Core :: XPCOM, defect, P1)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is 
report bp-495c87d4-0c05-4bba-aeae-a4aaf0171007.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	PLDHashTable::Add(void const*, mozilla::fallible_t const&) 	xpcom/ds/PLDHashTable.cpp:582
1 	xul.dll 	DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) 	js/src/gc/Marking.cpp:690
2 	xul.dll 	JSObject::traceChildren(JSTracer*) 	js/src/jsobj.cpp:4028
3 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	js/public/TraceKind.h:196
4 	xul.dll 	mozilla::CycleCollectedJSRuntime::NoteGCThingJSChildren(JS::GCCellPtr, nsCycleCollectionTraversalCallback&) 	xpcom/base/CycleCollectedJSRuntime.cpp:653
5 	xul.dll 	CCGraphBuilder::BuildGraph(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp:2314
6 	xul.dll 	nsCycleCollector::MarkRoots(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp:2932
7 	xul.dll 	nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) 	xpcom/base/nsCycleCollector.cpp:3734
8 	xul.dll 	nsCycleCollector_collectSlice(js::SliceBudget&, bool) 	xpcom/base/nsCycleCollector.cpp:4314
9 	xul.dll 	nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) 	dom/base/nsJSEnvironment.cpp:1537
10 	xul.dll 	ICCRunnerFired 	dom/base/nsJSEnvironment.cpp:1596
11 	xul.dll 	std::_Func_impl<bool (*)(mozilla::TimeStamp), std::allocator<int>, bool, mozilla::TimeStamp>::_Do_call(mozilla::TimeStamp&&) 	vs2015u3/VC/include/functional:212
12 	xul.dll 	mozilla::IdleTaskRunner::Run() 	xpcom/threads/IdleTaskRunner.cpp:62
13 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1039
14 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:97
15 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:301
16 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:319
17 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:299
18 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:158
19 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp:230
20 	xul.dll 	XRE_RunAppShell() 	toolkit/xre/nsEmbedFunctions.cpp:880
21 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:269
22 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:319
23 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:299
24 	xul.dll 	XRE_InitChildProcess(int, char** const, XREChildData const*) 	toolkit/xre/nsEmbedFunctions.cpp:705
25 	xul.dll 	mozilla::BootstrapImpl::XRE_InitChildProcess(int, char** const, XREChildData const*) 	toolkit/xre/Bootstrap.cpp:65
26 	firefox.exe 	content_process_main(mozilla::Bootstrap*, int, char** const) 	ipc/contentproc/plugin-container.cpp:63
27 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:115
28 	firefox.exe 	__scrt_common_main_seh 	f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253
29 	kernel32.dll 	BaseThreadInitThunk 	
30 	ntdll.dll 	__RtlUserThreadStart 	
31 	ntdll.dll 	_RtlUserThreadStart

this crash signature on 32bit builds of firefox on windows started rising with 57.0b5. it's stacks are somewhat similar to the [@ DispatchToTracer<T>] signature, but that didn't start to decline on beta instead...

Comment 1

[Jon Coppeard (:jonco)]

Tentatively moving this to XPCOM as it looks like a problem during cycle collection.

Comment 2

[Nathan Froyd [:froydnj]]

I feel like we've seen this bug before; the crash reports say we're crashing on:

  PLDHashEntryHdr* entry = SearchTable<ForAdd>(aKey, keyHash);

with a (typically) nullptr deref.  Which is nonsense, unless SearchTable is getting inlined here and the debug information is terrible.

Ah, yes, bug 1342556 is the bug I'm thinking of, and that's a dup of bug 1296631.  Going to say this is just a dup as well.

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

Tracking this in bug 1296631.